Security

Hi All,

Im trying to understand the way the external captive portal works but im struggle with getting the right info. The goal is we use a existing captive portal Form thats hosted on a webserver somewhere on the internet. 

So this is my understanding of what i found:

• Create SSID with security level "Visitors"
• Here ill choose External Captive Portal
• I create a captive portal profile that points to the external server.
• Then i need to select Primary server. Since i dont have an external server i like to use the internal server. But im not sure how to configure this.
  
  • In the past in the old instant ap's  you could just choose authentication text but this feature is not available anymore
• On the server side we get a little bit of code with  <form method="POST" action="https://securelogin.arubanetworks.com/swarm.cgi"> (where we can change this to our own domain after uploading certificate)
  • we have to include <input type="hidden" name="cmd" value="authenticate" />
  • There are few other fields

So the questions i have

• Do i have to use the Radius server or are there other possibility's? 
  • I need to use the internal radius server of the ap's since in this situation there is not an external one
  • In the server i have to "post" back some information to the domain name. I assume this is the local AP's managed bij Aruba Central so i need to open some firewall ports 80/443 for this to work?

I hope someone can help me out to better understand. 

You need to configure the Radius Server when you want to have a kind of authentication.

For only "Accespt Terms & Conditions" you don´t need it.

Here are some useful documentations:

https://www.arubanetworks.com/techdocs/central/latest/content/nms/nwk-services/conf-ext-cp.htm

https://www.flomain.de/2016/12/aruba-instant-with-external-captive-portal/

Be aware of using public trusted vertificates otherwise Apple / Google etc. won´t open the external Captive Portal.

This is what you don´t have to take care of if you are using the inbuild Captive Portal function of Central and I cannot see why you aren´t using this. This makes it much more efficient and easy to maintain.

Hi All,

Im trying to understand the way the external captive portal works but im struggle with getting the right info. The goal is we use a existing captive portal Form thats hosted on a webserver somewhere on the internet. 

So this is my understanding of what i found:

• Create SSID with security level "Visitors"
• Here ill choose External Captive Portal
• I create a captive portal profile that points to the external server.
• Then i need to select Primary server. Since i dont have an external server i like to use the internal server. But im not sure how to configure this.
  
  • In the past in the old instant ap's  you could just choose authentication text but this feature is not available anymore
• On the server side we get a little bit of code with  <form method="POST" action="https://securelogin.arubanetworks.com/swarm.cgi"> (where we can change this to our own domain after uploading certificate)
  • we have to include <input type="hidden" name="cmd" value="authenticate" />
  • There are few other fields

So the questions i have

• Do i have to use the Radius server or are there other possibility's? 
  • I need to use the internal radius server of the ap's since in this situation there is not an external one
  • In the server i have to "post" back some information to the domain name. I assume this is the local AP's managed bij Aruba Central so i need to open some firewall ports 80/443 for this to work?

I hope someone can help me out to better understand. 

Hi cordless,

Thanks for the info. So a radius server is mandatory in the configuration, but as i understand correctly its not needed so its like a placeholder. So it would not matter what ip address i put in there?

So with the cmd as "authenticate" the AP knows it has to switch the pre auth role to the role defined in the security. Does the name "authenticate" has to match the role name?

Thanks

You need to configure the Radius Server when you want to have a kind of authentication.

For only "Accespt Terms & Conditions" you don´t need it.

Here are some useful documentations:

https://www.arubanetworks.com/techdocs/central/latest/content/nms/nwk-services/conf-ext-cp.htm

https://www.flomain.de/2016/12/aruba-instant-with-external-captive-portal/

Be aware of using public trusted vertificates otherwise Apple / Google etc. won´t open the external Captive Portal.

This is what you don´t have to take care of if you are using the inbuild Captive Portal function of Central and I cannot see why you aren´t using this. This makes it much more efficient and easy to maintain.

Hi All,

Im trying to understand the way the external captive portal works but im struggle with getting the right info. The goal is we use a existing captive portal Form thats hosted on a webserver somewhere on the internet. 

So this is my understanding of what i found:

• Create SSID with security level "Visitors"
• Here ill choose External Captive Portal
• I create a captive portal profile that points to the external server.
• Then i need to select Primary server. Since i dont have an external server i like to use the internal server. But im not sure how to configure this.
  
  • In the past in the old instant ap's  you could just choose authentication text but this feature is not available anymore
• On the server side we get a little bit of code with  <form method="POST" action="https://securelogin.arubanetworks.com/swarm.cgi"> (where we can change this to our own domain after uploading certificate)
  • we have to include <input type="hidden" name="cmd" value="authenticate" />
  • There are few other fields

So the questions i have

• Do i have to use the Radius server or are there other possibility's? 
  • I need to use the internal radius server of the ap's since in this situation there is not an external one
  • In the server i have to "post" back some information to the domain name. I assume this is the local AP's managed bij Aruba Central so i need to open some firewall ports 80/443 for this to work?

I hope someone can help me out to better understand. 

<input type="hidden" name="cmd" value="authenticate" />

Is a command to authenticate, that is no role or something.

As already mentioned, why don´t you use the inbuild Guest Solution in Central - no extra charge!

You don´t have to create valid certificates, taking care about configuration and external Server, etc.

Authentication server is not needed, when you don´t do authentication.

It is pretty easy and a very flexible function in Aruba Central - https://www.arubanetworks.com/techdocs/central/latest/content/nms/nwk-services/splash-page-cfg.htm

Give it a try.

Hi cordless,

Thanks for the info. So a radius server is mandatory in the configuration, but as i understand correctly its not needed so its like a placeholder. So it would not matter what ip address i put in there?

So with the cmd as "authenticate" the AP knows it has to switch the pre auth role to the role defined in the security. Does the name "authenticate" has to match the role name?

Thanks

You need to configure the Radius Server when you want to have a kind of authentication.

For only "Accespt Terms & Conditions" you don´t need it.

Here are some useful documentations:

https://www.arubanetworks.com/techdocs/central/latest/content/nms/nwk-services/conf-ext-cp.htm

https://www.flomain.de/2016/12/aruba-instant-with-external-captive-portal/

Be aware of using public trusted vertificates otherwise Apple / Google etc. won´t open the external Captive Portal.

This is what you don´t have to take care of if you are using the inbuild Captive Portal function of Central and I cannot see why you aren´t using this. This makes it much more efficient and easy to maintain.

Hi All,

Im trying to understand the way the external captive portal works but im struggle with getting the right info. The goal is we use a existing captive portal Form thats hosted on a webserver somewhere on the internet. 

So this is my understanding of what i found:

• Create SSID with security level "Visitors"
• Here ill choose External Captive Portal
• I create a captive portal profile that points to the external server.
• Then i need to select Primary server. Since i dont have an external server i like to use the internal server. But im not sure how to configure this.
  
  • In the past in the old instant ap's  you could just choose authentication text but this feature is not available anymore
• On the server side we get a little bit of code with  <form method="POST" action="https://securelogin.arubanetworks.com/swarm.cgi"> (where we can change this to our own domain after uploading certificate)
  • we have to include <input type="hidden" name="cmd" value="authenticate" />
  • There are few other fields

So the questions i have

• Do i have to use the Radius server or are there other possibility's? 
  • I need to use the internal radius server of the ap's since in this situation there is not an external one
  • In the server i have to "post" back some information to the domain name. I assume this is the local AP's managed bij Aruba Central so i need to open some firewall ports 80/443 for this to work?

I hope someone can help me out to better understand. 

Hey there,

I have set up an external captive portal in AOS 10.x since I need a custom HTML page (mandatory due to company branding) that includes a "Join Wi-Fi" button. The goal is for the user to fill in the custom HTML inputs, which enables the button. Then, when the user clicks the button, a request should be performed to authenticate them, and they should be redirected to the redirection URL configured in the external captive portal setup (or redirected manually if needed).

How can this be achieved?

<input type="hidden" name="cmd" value="authenticate" />

Is a command to authenticate, that is no role or something.

As already mentioned, why don´t you use the inbuild Guest Solution in Central - no extra charge!

You don´t have to create valid certificates, taking care about configuration and external Server, etc.

Authentication server is not needed, when you don´t do authentication.

It is pretty easy and a very flexible function in Aruba Central - https://www.arubanetworks.com/techdocs/central/latest/content/nms/nwk-services/splash-page-cfg.htm

Give it a try.

Hi cordless,

Thanks for the info. So a radius server is mandatory in the configuration, but as i understand correctly its not needed so its like a placeholder. So it would not matter what ip address i put in there?

So with the cmd as "authenticate" the AP knows it has to switch the pre auth role to the role defined in the security. Does the name "authenticate" has to match the role name?

Thanks

You need to configure the Radius Server when you want to have a kind of authentication.

For only "Accespt Terms & Conditions" you don´t need it.

Here are some useful documentations:

https://www.arubanetworks.com/techdocs/central/latest/content/nms/nwk-services/conf-ext-cp.htm

https://www.flomain.de/2016/12/aruba-instant-with-external-captive-portal/

Be aware of using public trusted vertificates otherwise Apple / Google etc. won´t open the external Captive Portal.

This is what you don´t have to take care of if you are using the inbuild Captive Portal function of Central and I cannot see why you aren´t using this. This makes it much more efficient and easy to maintain.

Hi All,

Im trying to understand the way the external captive portal works but im struggle with getting the right info. The goal is we use a existing captive portal Form thats hosted on a webserver somewhere on the internet. 

So this is my understanding of what i found:

• Create SSID with security level "Visitors"
• Here ill choose External Captive Portal
• I create a captive portal profile that points to the external server.
• Then i need to select Primary server. Since i dont have an external server i like to use the internal server. But im not sure how to configure this.
  
  • In the past in the old instant ap's  you could just choose authentication text but this feature is not available anymore
• On the server side we get a little bit of code with  <form method="POST" action="https://securelogin.arubanetworks.com/swarm.cgi"> (where we can change this to our own domain after uploading certificate)
  • we have to include <input type="hidden" name="cmd" value="authenticate" />
  • There are few other fields

So the questions i have

• Do i have to use the Radius server or are there other possibility's? 
  • I need to use the internal radius server of the ap's since in this situation there is not an external one
  • In the server i have to "post" back some information to the domain name. I assume this is the local AP's managed bij Aruba Central so i need to open some firewall ports 80/443 for this to work?

I hope someone can help me out to better understand.